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Manually create and send raw TCP/IP 
packets 


In this chapter we are going to to use our knowledge on packets to manually craft 


and put them on the wire. 


The blueprint 


We now want to craft a packet and send it through the network. Let’s start by 
identifying the properties our packet should have: 


e [Pv4 packet 

e TCP SYN packet 

e from our client (10.10.10.2) to the server (10.10.10.1) 
e from port 12345 to port 80 

e fill up the other headers with the necessary data 


We will use our packet blueprints from the previous part of this series to aid us in 
creating the packet: 


Type of Service Total Length 
a 00 00 28 


Identification Fragment Offset 
ab cd 00000000000002 


Time to Live Protocol Header Checksum 


40 06 22 ?? 


Source Address 


Oa Oa Oa 02 (= 10.10.10.2) 


Destination Address 
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Oa Oa Oa O1 = 10.10.10.1) 


Source Port Destination Port 


30 39 (= 1234510) 00 50 (= 8010) 


Sequence Number 
00 00 00 00 


Acknowledgement Number 
00 00 00 00 


Data 
offset W R I Window Size 
71 10 
01012 


Checksum Urgent Pointer 


hed Ake, 00 00 


Based on our knowledge from the previous parts of this series we filled our 
blueprint with the relevant values (Identification and Window Size are just random 
in this case). As a small exercise, try to understand the meaning behind the values 
in Total Length and Data Offset. 


You might have seen, that two values are missing for now, the Header Checksum 
for the IP segment and the Checksum from the TCP segment. 


TCP Checksum & IP Header Checksum 


TCP Checksum 


Let’s start with the TCP checksum. Remembering from the first part of this series 
we know, that the checksum consists of values of the TCP Header itself, as well as a 
pseudo-header. For the calculations, all necessary values are used in 16 bit words 
and added together as shown below. In case the value isn’t 16 bit long, it will be 
prepended with zeros. 
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ete Additional 
Description Value ona 
Description 
?Protocol 0x0006 + 06 
Source Address (IP) Ox0a0a + Ox0a02 + 10.10.10.2 
Destination Address (IP) OxOa0a + 0x0a01 + 10.10.10.1 


TCP length (including the data part) in 


byte 20 bytes (= 14 
0x0014 + 
(no actual header field, has to be in hex) 
counted!) 
Source + Destination Port 0x3039 + 0x0050 + 1234 and 80 
Sequence Number 0x0000 + 0x0000 + 00 00 00 00 
Acknowledgement Number 0x0000 + 0x0000 + 00 00 00 00 
0101 000 
Data Offset, Reserved, Flags, Window 
Size 0x5002 + 0x7110 + 000000010 
and 7110 
Checksum (set to 0x0000 in 
, i 0x0000 + 0x0000 = 
calculation), Urgent Pointer 
Subtotal 0x119cc 
Removing the carryover Shade oe 
8 a Ox19cd 
Negation with Oxffff Oxffff - 0x19cd = 
Checksum Oxe632 


IP Header Checksum 


The IP header checksum is easy to calculate. It consists out of all values in the IP 
header, again added in 16 bit words and prepended with zeros in case the value is 
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too short: 


Description 


Version, IHL, Type of Service + Total 
Length 


Identification + Flags, Fragment 
Offset 


TTL, Protocol + Header Checksum 
(0x0000 in calculation) 


Source Address (IP) 
Destination Address (IP) 


Subtotal 


Removing the carryover 


Negation with Oxffff 


Header Checksum 
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Value 


0x4500 + 0x0028 + 


Oxabcd + 0x0000 + 


0x4006 + 0x0000 + 


Ox0Oa0a + 0x0a02 + 


Ox0a0a + 0x0a01 = 


0x15912 


0x5912 + 0x0001 = 
0x5913 


Oxffff - 0x5913 = 


Oxa6ec 


Additional 
Description 


10.10.10.2 


10.10.10.1 


As you could see, both checksums follow the same algorithm, just their input values 


are different. 


Now let’s put the calculated checksums in our blueprint. For better readability, they 


are arranged like this: 


45 00 00 28 
ab cd 00 00 
40 06 a6 ec 
Oa Oa Oa 02 


7/2/24 
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Oa Oa Oa 01 
30 39 00 50 
00 00 00 00 
00 00 00 00 
50 02 71 10 


e6 32 00 00 


Sending a self crafted packet 


After we have now manually created our first TCP/IP packet, let’s put it on the 
wire. As this isa [SYN] packet we are sending to our webserver, we expect him to 
respond with a [SYN, ACK] if everything works as planned. For this example we 
are going to use Python’s built-in socket module: 


import socket 


s = socket.socket(socket.AF INET, socket.SOCK RAW, socket.IPPROTO TCP) 
s.setsockopt(socket.IPPROTO IP, socket.IP_HDRINCL, 1) 


ip header = b'\x45\x00\x00\x28' 
ip header += b'\xab\xcd\x00\x00' 
ip header += b'\x40\x06\xa6\xec' 
ip header += b'\x0a\x0a\x0a\x02' 
ip header += b'\xOa\x0a\x0a\x01' 


Version, IHL, Type of Service | Tote 
Identification | Flags, Fragment Off 
TTL, Protocol | Header Checksum 
Source Address 

Destination Address 


# HF HR HR 


tcp header = b'\x30\x39\x00\x50' 
tcp header += b'\x00\x00\x00\x00' 
tcp header += b'\x00\x00\x00\x00' 
tcp header += b'\x50\x02\x71\x10' 
tcp header += b'\xe6\x32\x00\x00' 


Source Port | Destination Port 
Sequence Number 

Acknowledgement Number 

Data Offset, Reserved, Flags | Windc 
Checksum | Urgent Pointer 


# He HR HR 


packet = ip header + tcp header 
s.sendto(packet, ('10.10.10.1', 0)) 
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We are creating a socket s out of the Internet Protocol family AF_INET , in “raw” 
mode SOCK_RAW which will be sending TCP packets IPPROTO_TCP . With the 
setsockopt() we tell the kernel not to generate an IP header, since we are 
providing it ourselves. For further details on the Python socket module, I 
recommend the Python documentation on sockets. When working with raw 
sockets in scripts, most operating system require advanced privileges (e.g. root 
user) to run them: 


root@kali:~# python3 send first packet.py 


Utilizing Wireshark, we observe what happens when we send the packet: 


A] ip.addr == 10.10.10.1 && tcp.port == 80 xi - ~) Expression... + 
No. Time Source Destination Protocol Length Info 
1 0.000000000 10.10.10.2 10.10.10.1 TCP 54 12345 — 80 [SYN] Seq=0 Win=28944 Len=0 


2 0.000455860 10.10.10.1 10.10.10.2 TCP 60 80 — 12345 [SYN, ACK] Seq=0 Ack=1 Win=2920 


As expected, our Python script sends a [SYN] packet to port 80 of our webserver. 
This server replies with a [SYN, ACK] , the second step of a typical TCP three-way 
handshake. The third packet however is a [RST] reset sent from our client to the 
server. This happened because of the value we set as source port of our packet. 
Despite providing 12345 as source port, there is no application on our side listening 
on that port to accept the incoming [SYN, ACK] . Therefore, a reset packet is sent, 
and the connection establishment is canceled. 


In case you don't get the upper result, check whether your calculated checksums 


are correct. To verify them in Wireshark, go: Right click (on any packet) > Protocol 
Preferences > “Validate the TCP checksum if possible”. 


Improving our crafted packet 


Having again a closer look at the first packet we sent, we will see that there are 14 
more bytes in front of our IP header (highlighted in blue). 


colololcmmOO Oc 29 d3 be d6 00 Oc 29 e0 c4 af 45 o0 


00 28 ab cd 00 00 40 06 a6 ec Oa Oa Oa 02 Oa Da epi Seer ree 
Oa 01 30 39 00 50 00 00O 00 OO OO 00 00 00 50 02 nOi Pea aasid P. 
71 10 e6 32 00 00 Deedee 
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These bytes are the ethernet layer, the layer below the internet and transport layer: 


Destination MAC Protocol 
V Source MAC Address ii 
Address Type 
08 00? (= 
00 Oc 29 d3 be d6 00 Oc 29 e0 c4 af ( 
IPv4) 


Since we want to create the complete packet by hand, we need to slightly modify 
our Python script by manually adding the ethernet layer: 


import socket 


s = socket.socket(socket.AF PACKET, socket.SOCK RAW) 
s.bind(("eth0", 0)) 


ethernet = b'\x00\x0c\x29\xd3\xbe\xd6' # MAC Address Destination 
ethernet += b'\x00\x0c\x29\xe0\xc4\xaf' # MAC Address Source 
ethernet += b'\x08\x00' # Protocol-Type: IPv4 


ip header = b'\x45\x00\x00\x28' # Version, IHL, Type of Service | Toté 
ip header += b'\xab\xcd\x00\x00' # Identification | Flags, Fragment Off 
ip header += b'\x40\x06\xa6\xec' # TTL, Protocol | Header Checksum 
# 
# 


ip header += b'\xQa\x0a\x0a\x02' Source Address 
ip_header += b'\x0a\x0a\x0a\x01' Destination Address 


tcp header = b'\x30\x39\x00\x50' 
tcp header += b'\x00\x00\x00\x00' 
tcp header += b'\x00\x00\x00\x00' 
tcp_ header += b'\x50\x02\x71\x10' 
tcp header += b'\xe6\x32\x00\x00' 


Source Port | Destination Port 
Sequence Number 

Acknowledgement Number 

Data Offset, Reserved, Flags | Windc 
Checksum | Urgent Pointer 


*# He HH 


packet = ethernet + ip header + tcp header 
s.send(packet) 


We are again creating a “raw” socket, but this time from the address family “packet”, 
allowing us to play on a very low protocol level. Then we bind the socket to our 
network interface eth® (might be a different one for you; check that e.g. with 
“ifconfig” command). 
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root@kali:~# python3 send first packet _v2.py 


After executing the new script we observe the output of Wireshark again: 


ip.addr == 10.10.10.1 && tcp.port == 80 [X] ~| Expression... + 


No. Time Source Destination Protocol Length Info 


1 0.000000000 10.18.18. 2 54 12345 — 80 [SYN] Seq=0 Win=28944 Len=0 
| 2 0.000473778 190.190.10.1 190.190.10.2 TCP 60 80 — 12345 [SYN, ACK] Seq=0 Ack=1 Win=2920 


34 1234 80 [RST] Seq=1 Win=0 Len=( 


Everything worked as expected, we have the start of the three-way handshake 


followed by the reset. 


Now we have learned how we can manually create any kind TCP/IP packet we want 
to. This knowledge has a very large application range, e.g. starting from low level 
programming to pentesting and fuzzing. An example of what you can do with this 
will be shown in the next part of the tutorial series where we create a stealth port 
scanner. 


TCP/IP packets 


Introduction 

1 Recap on network layers and protocols 

2 Analysis of a raw TCP/IP packet 

3 Manually create and send raw TCP/IP packets 
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